Add support for NoNewPrivileges #557
Conversation
|
@LK4D4 @crosbymichael ping |
| @@ -300,6 +301,7 @@ func createLibcontainerConfig(cgroupName string, spec *specs.LinuxSpec) (*config | |||
| config.Sysctl = spec.Linux.Sysctl | |||
| config.ProcessLabel = spec.Linux.SelinuxProcessLabel | |||
| config.AppArmorProfile = spec.Linux.ApparmorProfile | |||
| config.NoNewPrivileges = spec.Linux.NoNewPrivileges | |||
There was a problem hiding this comment.
Is there a spec update PR for this?
There was a problem hiding this comment.
This was pulled in a previous spec update.
|
This looks got to me. Need to get this into Docker ASAP, since it really helps people running non privileged work loads. Eliminates a lot of worry about contained non priv processes getting access to setuid or setfcap files. |
| @@ -171,6 +171,9 @@ type Config struct { | |||
| // A default action to be taken if no rules match is also given. | |||
| Seccomp *Seccomp `json:"seccomp"` | |||
|
|
|||
| // NoNewPrivileges controls whether processes in the container can gain additional privileges. | |||
| NoNewPrivileges bool `json:"nonewprivileges"` | |||
There was a problem hiding this comment.
Not a problem in this PR.
For json property names, we have nonewprivileges and noNewPrivileges and no_new_privileges in code, looks like we don't have code style for that yet, should we change them for consistency.
There was a problem hiding this comment.
Yeah, sticking to whatever style we have in each repo for now :/
Signed-off-by: Mrunal Patel <[email protected]>
|
Updated. |
|
Are we sure this work? Can you still apply seccomp rules after you have set NO_NEW_PRIVS? I thought I heard someone say that you could not. |
| @@ -109,6 +113,11 @@ func (l *linuxStandardInit) Init() error { | |||
| if err := syncParentReady(l.pipe); err != nil { | |||
| return err | |||
| } | |||
| if l.config.Config.NoNewPrivileges { | |||
There was a problem hiding this comment.
If there's no reason to place it after syncParentReady (like syncParentReady might break it), I'd prefer to place it before. Go likes to create new processes each time you do a syscall, which is the whole point of late cgroup apply (applying cgroups as late as possible means we're less likely to hit our resource limits or add any overhead during setup).
There was a problem hiding this comment.
Moved it above the sync.
|
@rhatdan I don't think that's right, if I'm reading this LWN article correctly:
If you read the actual code (from /*
* Installing a seccomp filter requires that the task has
* CAP_SYS_ADMIN in its namespace or be running with no_new_privs.
* This avoids scenarios where unprivileged tasks can affect the
* behavior of privileged children.
*/
if (!task_no_new_privs(current) &&
security_capable_noaudit(current_cred(), current_user_ns(),
CAP_SYS_ADMIN) != 0)
return ERR_PTR(-EACCES);So I'm fairly sure this should work perfectly fine. |
|
Great. I am probably misremembering. |
|
Yes, I had looked at libseccomp earlier and it makes the call as well |
|
I checked that there is no harm in this getting called twice but prctl itself could get blocked by seccomp so makes sense to move this before seccomp. |
Signed-off-by: Mrunal Patel <[email protected]>
Signed-off-by: Mrunal Patel <[email protected]>
|
LGTM |
1 similar comment
|
LGTM |
Bump version 1.0.0 rc2
Support NoNewPrivileges for additional security in containers.